Modernizing Authentication — What It Takes to Transform Secure Access
In their most recent industry-wide survey, the Authentication and Online Trust Alliance (AOTA) found that adoption of email and domain-level authentication techniques has reached the 50 percent mark, including a majority of Fortune 500 financial services firms and companies with consumer-facing brands.
AOTA's research looked at a number of categories of businesses with online presences and found that many of the top brands and biggest Internet retailers have taken steps to protect their online reputations by adopting things like Sender ID Framework (SIDF) and DomainKeys Identified Mail (DKIM) to help foil forged email and password phishing.
Email Authentication has now surpassed the tipping point, and we are encouraged with improvements in all key areas of measurement, said Craig Spiezle, chairman of AOTA and Director of Internet Security & Privacy at Microsoft Corporation.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i The latest adoption data and industry collaboration is a testament to how these organizations are stepping up to protect their brands and consumers. AOTA is calling on all brand owners to implement domain level authentication within the next six months.
Spam, phishing and other forms of fraudulent email are ever-increasing threats to the safety of consumers and to the reputation of brands they rely upon. According to many reports, as much as 80 percent of email claiming to be from leading brands, banks and ISPs is actually spoofed.
The immediate value for authenticated senders is that receiving systems can use authentication to verify the legitimacy of each message's claimed source. If the authenticity is verified, it can be quickly and reliably delivered to the recipient's inbox, while a forgery can be either rejected or subjected to further scrutiny.
Authentication on the outbound is only one piece of the puzzle; receivers are also beginning to look for authentication and beginning to use the presence of authentication as a positive reputation element.
While no sites are currently requiring mail to be authenticated in order to get delivery and I don't really see any sane organization doing that, ever some of those businesses who are early adopters of authentication are getting more and more comfortable with the idea of telling receivers that any unauthenticated email purporting to be from them should be discarded.
|We Need to Rethink PC Security Software
Spam Wars: When Good Geeks Say Bad Things
You've Got Spam: The New Field of Reputation Management
Guide to Hotspot Safety|
As I've written about before, the value of authentication goes beyond just foiling password phishers. The benefits of authentication include brand protection and enhanced email deliverability. As more and more ISPs look for authentication to differentiate senders and assess the reputation of their inbound mail stream, brands that have not authenticated are going to find themselves at a competitive disadvantage, with their customers unnecessarily exposed to spam and phishing attacks from cybercriminals.
Email authentication is a necessary component to solidifying the future viability of email as well as strengthening consumer trust in the online channel, said David Daniels, vice president and research director at JupiterResearch. Companies that adopt at their corporate and marketing levels will have a competitive advantage.
Added Benefit to Deployment
One of the interesting side benefits of deploying authentication, which I will explore in greater detail in an upcoming column, is that the deployment process turns out to also be an excellent framework for helping enterprises to get a better understanding their email infrastructure. For security, data protection, and data governance purposes, the process of deploying authentication can carry with it many tangible benefits to the enterprise far beyond the obvious ones.
AOTA has issued a call for all consumer-facing e-commerce and online financial services sites to adopt one or more forms of outbound email authentication for their top-level corporate domain within the next six months.
This is an ambitious challenge by AOTA, but for any company that depends upon how it is perceived by its customers (is there any business that doesn't?), the decision to take up this challenge is getting easier and easier to justify.
Indeed, with the increasing benefits of using authentication, it's going to get harder and harder to justify not using authentication. To that end, I hope AOTA's study will provide good fuel for driving the authentication process forward at nearly every level of the industry.